Archive

I’ve recently been looking at the implementation of EMC’s free Virtual Storage Integrator (VSI) with a few our older Symmetrix customers. Now customers using VMAX and VMAXe have the ability to deploy delegated storage provisioning for their VMware admins. However DMX customers only have the ability to use the read only storage viewer functionality as the DMX is not supported with Storage Pool Manager (SPM) which back ends the storage provisioning. Some interesting questions came up recently with a customer about how best to deploy the VSI storage viewer with DMX arrays and I thought it would be worth sharing the findings with a wider audience. Basically I’m looking to cover off the different ways the VSI can connect to a Symmetrix array and how some of the options selected affect end to end operations.

VSI to Symmetrix Connectivity

So the VSI tool can be used in two ways with Symmetrix arrays, you can utilise the local Solution Enabler (SE) installation that comes with the VSI or you can use a dedicated Solution Enabler server. It’s important to remember that Symmetrix arrays can only be discovered in-band, basically this means the SE install needs direct connection with the physical array. This is achieved through the presentation of small LUNs known as gatekeeper LUNs, something existing Symmetrix storage teams will be very familiar with. So lets look at the two different possible setups.

Local Solution Enabler Deployment

The local deployment model shown above would require a gatekeeper LUN being presented / zoned through to the machine that the VI Client, VSI and local SE install have been deployed on. Communication with the array in this instance flows directly between the client PC and the array. In the majority of instances this isn’t going to be very practical for a number of reasons.

Each VMware admin client with VSI deployed would need a direct array connection.

Most Symmetrix arrays are FC attached and client PC’s are not.

Arrays live in remote data centres and VMware admin PC’s live in the office.

The remote deployment model shown above would require gatekeeper LUNs being zoned through to a dedicated server. VMware admins would then connect through this remote SE server when querying Symmetrix arrays from information with the VSI. Communication flow in this instance always goes through the server, however as you’ll see later results can be returned from the SE server or the array depending on VSI configuration. This kind of setup is more practical for a number of reasons.

Remote SE servers are usually already in place for storage management tasks.

Available as a virtual appliance for quick deployment if not in place already.

Supports connectivity by multiple remote VMware admins using VSI.

Manage multiple Symmetrix arrays through one server.

Decreases security risk, i.e. single device connection to array.

Mix and Match

The model above is by no means rigid, you can craft a number of solutions out of the principals shown above. If your vCenter server sat in the same data Centre as the array then you could present gatekeeper LUNs to it and use this as a management point whenever you want to get information from the array. Another possible solution is to put a management virtual machine in the datacentre with the VI Client and VSI installed and present a gatekeeper as an RDM, whenever a VMware admin needs information from the array they connect into that management VM to carry out the work. Basically there is a solution for deploying VSI with Symmetrix arrays no matter what you’re setup looks like.

VSI Discovery Process Flow

One question that did come up recently was what happens when you select the AutoSync option for a symmetrix array and you are using the remote SE server solution. How often does it poll the array? Well the answer is it doesn’t, which is strange as the term Autosync gives the impression that it syncs with the array on a regular basis. So how does it work?

AutoSync enabled

When AutoSync is enabled each time you request array data, e.g. clicking on the EMC VSI tab for a datastore. The request forces the SYMAPI database on the remote SE server to be updated from the array, the up to date array information is then returned to the VSI. There is obviously a slight cost involved in doing this as the remote SE server needs to make the calls to the array in order to update it’s local database before responding. Typically this would introduce a 10 – 20 second delay but that cost means you guarantee the information received is up to date and valid.

AutoSync disabled

When Autosync is disabledeach time you request array data the request is returned from the cached information in the local SYMAPI database on the remote SE server. This is obviously the fastest method as you don’t have the cost of querying the array directly for an update but the information may be out of date.

With Autosync disabled it’s up to the VMware administrator to initiate the sync of the array from within the VSI. Alternatively the storage team can initiate sync with the array directly through the SE server using SYMCLI. To initiate a sync manually go into the VSI tool and select Symmetrix arrays from the list of features, highlight the array and click on Sync Array.

Summary

The free EMC VSI Storage Viewer tool can be of great benefit to Symmetrix customers, allowing VMware admins improved visibility of the underlying storage layers. In larger environments where Symmetrix arrays are traditionally used you tend to find VMware and Storage are managed by separate teams. Anything that improves the information flow between the two teams during troubleshooting has to be a must have tool. As show above some thought needs to be given to how you set it up. My personal preference would be to always go for the remote SE server solution. Enable Autosync if your underlying VMware storage environment changes often and if it doesn’t then a manual sync every now and again should suffice.

Additional notes and links

SPC-2 Flags

It’s worth noting that SPC-2 flags need to be set on the FA port or on the initiator of the ESX host for the VSI to work correctly, in fact this is a required setting for ESX generally. This has come up a couple of times recently so I though it worth mentioning to ensure that people have it setup correctly, the following whitepaper gives you more information.

At EMC the vSpecialist team often end up talking to a lot of customers about EMC’sFREE Virtual Storage Integrator (VSI) Plug-ins for vCenter Server. Not only do customers love the fact that it is FREE they also love the features delivered. The ability to accurately view, provision and manipulate EMC storage directly within vCenter empowers VI admins and makes everyone’s life that little bit easier.

When I started writing this article we were on version 4.2 of the VSI plug-ins, following VMworld 2011 we are now up to version 5.0 the fifth generation of this excellent VMware / EMC toolkit. The plug-ins that make up the VSI are listed below, to download use the link below or use the cookie trail to navigate to the page on EMC PowerLink.

One of the great features that people are drawn to is the ability to allow VI admins to provision storage directly from within vCenter. This is done with the VSI Unified Plug-in for Celerra, CLARiiON and VNX(e) and done with the VSI Storage Pool Management plug-in for the VMAX. One of the first question I often get asked is how is the secured, how does the storage team ensure that only the right VMware admins are manipulating the underlying storage?

The answer previously was… well to be honest we didn’t really have an answer to this one. Technically if you allowed the VMware admins to provision storage you needed to trust them not to go provisioning crazy and fill up your storage array. Obviously that response was not really acceptable for any environment and EMC have been working to rectify that.

The Access Control Utility is a new part of the VSI framework which allows storage administrators to granularly control availability of storage platforms and storage pools on those platforms. These security profiles when created can be exported and passed to the VMware administrators and imported into the VSI unified storage management plug-in. The following blog post details the steps involved in completing this process for a VNX array in vSphere 4.1

So we start by double clicking on the shiny padlock icon that will have been added to your desktop when you installed the VSI unified storage management plug-in. When the ACU starts we are presented with the profile management screen. This will of course be blank the first time you start the utility, in this screenshot below however you can see a couple of existing access profiles I have created for some VNX arrays in the lab.

To Create a new profile you simply click the Add button, you are then presented with the details screen for the new access profile being created. Here you enter the name of the profile and a suitable description and click next when finished.

The next step in the wizard is where you define the storage system that will be permissioned as part of the security profile. You click on Add and then select the system you are going to permission, as you can see the VSI ACU supports Celerra, CLARiiON, VNX and the VNXe arrays. For VMAX you need to look at Storage Pool Manager (SPM) to control access, I’ll look to blog about this one at a later date.

The next screen presented very much depends on the storage system you select. If you chose the Celerra option you’re prompted for the details of the control station, username and password. Select the CLARiiON and you’re prompted for the Storage Processor details and login credentials. If you select the VNXe then you’re promoted for the management IP and the login credentials. I’m sure you can see the pattern developing here!

In this example we are dealing with a VNX array and as such the option is whether you want to give access to block storage, file storage or both. As both are controlled differently within the VNX, if you select both you will need to enter the IP and credentials for the Storage Processor (Block) and the VNX Control Station. For the purposes of this example I’m going to use Block only as you can see in the screenshot below.

When you click next you’re prompted to enter the storage processor IP address and log on details as shown below.

Once you are authenticated you get to select the granularity of access you want to provide. It’s important to note that when the ACU refers to storage pools it means any storage pools and traditional RAID groups that may have been created on the VNX array. There are 3 options available as you can see in the screenshot below.

All storage poolsThis option basically gives a VMware Admin free reign to provision LUNs with the VSI all over the array. A potential use case for this may be a dedicated development VMware environment with its own dedicated array where the storage team don’t care to much about usage.

No Storage PoolsThis option is a complete lockdown and acts as an explicit deny to prevent any accidental provisioning on an array, i.e. the VSI unified storage management feature cannot talk to the array full stop, it won’t even show up as an option.

Selected storage poolsAs the name indicates this option allows the selection of certain storage pools for VSI provisioning. A potential use case here would be a mixed environment where the array is shared between VMware and physical workloads. As a storage administrator you would grant permission to the VMware storage pools only thus preventing any potential mis-provisioning (not sure that is actually a word but it certainly has its place when we talk about VSI provisioning)

In this example I’ve chosen selected storage pools as I think this is probably the scenario that most people will be looking for the ACU to help them with. Within the next screen you are presented with a list of all storage pools / RAID groups on the array. Here you select the storage pools / RAID groups you want to give the VMware admin access to, when your happy with your selection you simply select finish. Note in the screenshot below that I have select two individual storage pools (one is a RAID group) to be part of this particular storage profile.

Once you’ve completed storage pool selection you are returned to the profile screen, you can finish your profile creation right here by clicking on finish or you can add additional storage systems if your VMware environment consists of multiple arrays.

Once you have completed the creation of your security profile the next step is to export it so you can pass it over to your VMware admins. To do this simply highlight the Security profile, click on export and save the file

Chose a location to save the file and don’t forget to add a passphrase to the file so that it cannot be misused.

It’s important to remember that the login credentials provided by the storage admin during the ACU profile setup are the ones used when the profile is imported into the VSI. The VMware admin will see the connection details and username being used but will not see the password. For audit purposes on the array it may be best to setup a dedicated account for use with the VSI and storage profiles. It should also be noted that the full details of the storage profile are encrypted within the profile export file as you can see below.

So now that you’ve finished creating your storage profile you can pass it on to the VMware administrators to import into the VSI. To do this you go into vCenter and open up the EMC VSI screen from the home screen. Click on the Unified Storage Management feature, then click on add and select Import Access Profile before clicking next.

You now select the XML file created by exporting the ACU storage profile, you enter the passphrase you selected and click next.

As you can see below the VNX array has been added to the VSI and provisioning access is marked as Restricted. This is as expected as we configured the profile to give access to only two storage pools, FAST_Pool_3_Tier and RAID Group 10.

When you use the EMC VSI to provision storage you will be presented with the VNX array that was part of the imported profile. You select the storage array and as you can see in the screenshot below you can only create storage on the two storage pools that were added to the ACU storage profile.

Summary

The EMC Access Control Utility was something I have been looking to write about for a while. Since it’s release I’ve often wondered how exactly it worked, what it could / could not do and how it could better meet customer needs. The steps above show that it is possible for a storage team to delegate control of storage pools so VMware admins can quickly provision the storage that they need. Becoming more efficient is something we as vSpecialists talk about on a daily basis, this tool is one of those first steps that you can take to make life easier. If you are a VMware admin who is working with EMC storage then I suggest you speak to your storage team about this. Likewise if you are a storage admin, reach out to your VMware counterparts and discuss how this could save you both time in the long term.

Video

My boss Chad Sakacc put a video together for VMworld 2011 which maybe explains it better (certainly quicker) than I maybe have in this blog post. I left it to the end though so you read the article before discovering it . My step by step approach is simply so I can fully understand how it fits together and as I go deal with the many “what if” or “how does that work” kind of questions. Hope you find it useful in some way, feel free to comment or ask questions.

I have been trying desperately this week to keep up to date with the latest announcements coming out of EMC World 2010. Problem is they appear to be making them and blogging about them faster than I can read and assimilate them.

One blog post that did catch my attention was a post by EMC’s Chad Sakac. Chad constantly amazes me, he generates a massive amount of super high quality technical content for the EMC and VMware community. His blog post was entitled “EMC’s next generation vCenter Plugins” and details the latest and greatest offerings from EMC’s Free vCenter plugins.

The Virtual Storage Integrator (VSI) V3.0.0 is a renaming of the existing EMC Storage Viewer 2.1 plugin that has been available for a while. Why the rename? Well EMC are introducing tighter integration by enabling storage provisioning from within vCenter, it’s now surpassed being just a storage viewer. The storage provisioning integration works with the CLARiiON across all protocols (FC, ISCSI, FCOE) and it also works with NFS on the Celerra. It also adds greater degrees of simplicity and reduces risk by automating all the tasks involved in provisioning and presenting storage to your vSphere cluster.

Chad explains it in much more detail and much better than I ever could in the following video.

I personally feel that the benefits of EMC’s ownership and tight working relationship with vSphere are beginning to shine through. Such tight levels of integration are now being delivered and future development doesn’t look likely to slow down either. The quote from Chad below show’s how aggressively his team are working to constantly bring new features to the table and best of all, there completely free!

EMC Virtual Storage Integrator (or VSI) is the main EMC vCenter plug-in. Over time, more and more functions that currently require installing one or more additional plugins will fold into the EMC Virtual Storage Integrator. We’re beefing up the team behind it, and they have a very aggressive roadmap (wait till you see what’s next!!!)

Click the link below to find out more about what vCenter plugins are available, what they’re designed to do and where you can download them from in EMC Powerlink.